There are several improvements in virtual networking and security within the latest vSphere and vCloud products. vCloud Networking and Security lowers of the overall cost to implement endpoint security within a vSphere environment. VMware has accomplished this by including vShield Endpoint into vSphere. There by lowering the cost to offloaded antivirus and malware to just the product chosen to implement antivirus and antimalware.
By far the biggest change is the implementation of VXLAN, which is implemented with in vSphere. VXLAN allows the ability to create a software defined network.
- VXLAN will span vSphere clusters, virtual switches, and layer 3 physical networks. How does this work? Because VXLAN is a layer-2 overlay network using MAC in UDP tunneling.
vCloud Networking and Security
VMware has also renamed vShield Edge to vCloud Networking and Security (vCNS) Edge Gateway and vShield App to vCNS App. But other than renamed products what has been added?
- High Available vCNS Edge Gateway with 10 user defined network interfaces. While vShield Edge provided single internal and external interfaces vCNS Edge 5.1 will allow you to define up to 10 internal or external interfaces, as well as logical groupings for internal vs external which makes use of the 10 vNICs that have been available on virtual machines since vSphere 4.x.
vCNS Edge Gateway in addition provides an active standby high availability pair with stateful session failover, automatic configuration syncing. In this way if one firewall dies, the standby firewall will take over in less than 10 seconds. This provides minimal loss of firewall functionality.
- Advanced load balancing features are now part of vCNS Edge Gateway. While in the past there was simple load balancing vCNS Edge Gateway now includes round robin load balancing that will verify the health of the target VMs and not send traffic if the health check fails with session persistence. In other words, if a session starts on a target VM, continued traffic for a given session stays on the target VM. The vCNS Edge Gateway load balancer natively handles HTTP and HTTPS, but also provides a pass-through mechanism for other protocols.
- SSL VPN is now a supported mode of VPN as well as the existing IPSec Tunneling protocols. An SSL VPN could be used for management traffic for a hybrid cloud or to access your individual vCloud tenant, or management features of your virtual environment making use of the vCNS Edge Gateway.
- The vCloud Service Automation framework allows the integration of third party security applications within the virtual environment. This framework provides a set of APIs for integration into the virtual environment.
- Inside the VM via vCNS endpoint security version 2 (EPsec v2) APIs.
- Edge of the VM via vCNS App APIs
- Edge of the virtual network via vCNS Edge Gateway APIs
- NETX 10 tuple based data redirection between physical and virtual or virtual and virtual security appliances.
- vCNS also includes a few updates to the vNetwork distributed switch such as:
- Netflow v9
- Network Health Checks which is a limited set of health checks to ensure the network is healthy and that all hosts in a cluster have the same network constructs.
But what do all these improvements mean?
In a nutshell they enable the software-defined datacenter.
Simply put, VXLAN widens the capabilities of a single vCloud virtual data center to span multiple clusters instead of being limited to just 32 hosts in a cluster. This will improve cloud implementations for service providers and larger private clouds. VXLAN may eventually allow for software-defined networks that span hybrid clouds. On the security side, the improvements and implementation of vCloud Service Automation framework allows for the creation of a software-defined security layer.
Both of these technologies are necessary if there is to be a software-defined data center.
Share this Article:
Latest posts by Edward Haletky (see all)
- Scale and Engineering - March 23, 2017
- SDS and Docker: The Beginnings of a Beautiful Friendship - March 21, 2017
- Security Operations Center: Not Just Visibility - March 14, 2017